Main Menu
Published articles

Click here to see articles

Recent Events

Security awareness seminar held at the Energus building, Lillyhall on 27th July 2010.

Click here for future events

Security for new builds

We will assist in planning of new corporate buildings to ensure nothing has been missed regarding physical security, access control and network design requirements. Once the building is complete, we will ensure that the staff are well trained to maintain the confidentiality, availability and integrity of the information within.

Published Articles

Get yourself a sense of security
Production Journal

Securing your IT - and reputatiion
Whitehaven News

Cumbrian firms urged to be better prepared for floods
News and Star

Keeping newsroom information safe
Submitted to UK Press Gazette

Cumbrians must prepare for wave of Cyber Crime
Lake District Messenger

Can your web site be trusted?
Lake District Messenger

Can your website be trusted?

Ask the average business person what they require from a website and the response will probably fall into one or more of the following categories:

  • It should drive sales.
  • Increase awareness of the company.
  • Be a useful resource for clients and prospects.

Whenever I ask this question, it is very rarely that I hear the words "it should be secure".

The main reason for this is that customers take it for granted that security will be built in as part of the service provided by the vendor.

But I don't think that we are right to assume that adequate precautions are always taken to protect our global shop window - so we need to ask the right questions. It may be tempting to dismiss web security as an issue that only affects e-commerce sites - but we must not forget that the web site is often a prospective client's first port of call and any defacement actually damages the company's reputation and the trust that customers have in the products and services.

It is alarming to find how easy it is to identify vulnerable sites and post unsavoury slogans on home pages.

As many web developers use the ubiquitous "free" website text editors to allow customers to update sites, the general public is left unaware that armies of hackers are actively looking for vulnerabilities in such programs - and finding them.

Recently, a rural county show website had its home page replaced by Islamist extremist propaganda which left the locals perplexed. After all, why should extremists target such an event?

The answer is simple: the perpetrators didn't know (or care) which site they were attacking. They just left a computer program running that located sites using vulnerable text editors and automatically injected their hateful message.

A more subtle attack randomly changes the odd word or punctuation and results in the site looking amateurish and leaves a bad impression on potential customers.

Wherever there are forms to complete on a web page, care should be taken that the vendor has plugged all relevant vulnerabilities against Cross Site Scripting (XSS) or SQL Injection.

XSS is the method used by hackers to insert "rogue" code into your site that results in anything from pop up messages through to a complete redirection to another, often unsavoury, site.

Remember that, once this has happened, questions will start to form in the mind of visitors as to whether your company is trustworthy - especially if they ended up at a pornographic website or even downloaded viruses - thanks to your site.

When a site has been attacked, the affected business will find itself in a catch-22 situation regarding an apology. They may not wish to display a message on the homepage apologising for the damage caused as this could deter future visitors - but this would leave affected visitors fuming that there wasn't any remorse shown.

SQL Injection is a method used by hackers to interfere with a database that your site may be using. Using an online form, say the username / password text boxes, the database language (SQL) can be inserted to wreak havoc on the site and possibly divulge sensitive client information.

It is vital that any vendor offering database interaction is asked to demonstrate that the SQL injection vulnerability has been removed.

Other questions that you should ask of vendors:

  • Who else will have access to your data and/or login credentials. Remember that some vendors reserve the right to outsource work to third parties (many of these are overseas).
  • Where is the data stored and how often is it backed up?
  • Have all images on the site been used legally - can they guarantee that there will be no copyright issues?
  • What measures do they use to keep your data secure. Do the developers use encrypted hard drives so that, should their laptop go missing, vital information (including login details) about your website will not be disclosed?
  • What "third party" software will be used in developing your site - and will the vulnerabilities be identified and rectified?
  • Do they test the site for security issues - and if so, can you see the results?